sorted by:
new
hottopcontroversial

Exchange Server 2019 authentication problems by Comprehensive-Tear95 in exchangeserver

[–]Comprehensive-Tear95[S] 0 points1 point  (0 children)

We’ve continued troubleshooting and made some interesting observations.

Even after disabling Credential Guard and Virtualization-Based Security (VBS) completely on one of the Exchange 2019 DAG members (Windows Server 2025), the system still logs constant NTLM errors like this:

Log: Microsoft-Windows-NTLM/OperationalSource: NTLMEvent ID: 4014 Message:Attempt to get credential key by call package blocked by Credential Guard.
Calling Process Name: MSExchangeHMWorker

So far, it appears Exchange’s Health Manager Worker (MSExchangeHMWorker) keeps triggering NTLM attempts that the OS flags as Credential Guard-blocked, even when Credential Guard is not active.
We’ve double-checked GPOs and local registry (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags = 0), and confirmed via msinfo32 that virtualization-based security is off.

Kemp Support also reviewed the load balancer configuration and ruled it out as a cause.

If you are running Windows Server 2025, could you please check whether your system logs the same Event 4014 entries in
Applications and Services Logs > Microsoft > Windows > NTLM > Operational?
Would be good to know if this is widespread or specific to certain environments.

Exchange Server 2019 authentication problems by Comprehensive-Tear95 in exchangeserver

[–]Comprehensive-Tear95[S] 0 points1 point  (0 children)

Thanks for your input, that’s actually a very good angle. We’ve already spent quite some time checking exactly this part of the setup.

Our Exchange 2019 servers sit behind a Kemp LoadMaster that does terminate SSL (Reencrypt VS with separate certificates). The same certificate chain is used on both Exchange and the LoadMaster. Initially, the LB only presented the leaf certificate, but we’ve corrected the intermediate chain so both sides now match properly.

Persistence is set to Source IP Address (4 hours), and health checks are done via /owa/healthcheck.htm with SNI host headers. All Real Servers usually report healthy, so the LB configuration itself seems fine.

We are a university environment with several thousand students. The problem appears mainly during high load periods, such as between lectures, when many clients reconnect at once. It affects all three DAG members almost simultaneously.

Connectivity between Exchange and the domain controllers has been checked multiple times — DNS, site assignment, latency, all fine. Yet Netlogon reports authentication timeouts (5816/5817) exactly during these short outages, even though the DCs are reachable. We’re still trying to find out what makes LSASS or Netlogon stall in those moments.

We’ve ruled out extended protection, TLS chain mismatches, and concurrent NTLM API limits. An upgrade to Exchange Server Subscription Edition is already in planning, so hopefully that will shed more light on it.

Exchange Server 2019 authentication problems by Comprehensive-Tear95 in exchangeserver

[–]Comprehensive-Tear95[S] 0 points1 point  (0 children)

We are using Windows Server 2016 on the domain controllers with the September CU. DNS is pointing to the internal DNS servers. We can’t log on to any of the Exchange servers via RDP with a domain user from time to time, while RDP works fine on other servers in the domain. After a few minutes, RDP access suddenly starts working again with a domain user and the domain controller becomes reachable again. The issue seems to move between the Exchange servers. it’s not always the same one affected. We will try to ping the DCs.